i’m also still quite stuck at the early stage, but if you referring to the credentials for vhost, it is sort of a brute force, but u probably have to write your own script and define some rules (eg: length of password, possible characters) to reduce the brute force’s scope.
1º It’s important to enumerate in this box, but Dirbuster won’t lead you where you need.
2º When you are starting with one HTB machine, it’s a good practice to try the Vhost (name of the machine) + .htb. In some instances, you might get additional Vhosts which are worth checking as well.
3º If you arrive to a login page, you are on the right path.
4º The mango is a word play related to the technology to research. Mango is not a mango, but is close to it.
5º Once you figure out the technology, research how you could exploit it. There are different articles on the Internet. One of those articles will give you an idea about how to proceed further.
6º My advice would be to play first with burp and the repeater, in order to get a slight idea about how to design your attack. Then, create your own script. This was the best part for me.
Root: Basic enumeration. It’s way easier than user, and I am sure you have solved other machines this way.
Rooted finally took me a few hours for initial shell but the rest was a walk in the park. Enum well, however dirb did not help me , keep it simple after initial shell , burp your way to these flags like a mongo
@MrR3boot thank you - the headaches have stopped after smacking my head of the desk! Thanks to everyone that give nudges, lesson learned remember the basics.
For anybody having trouble finding out whats running behind the curtain: after the new way has opened up for you, return to basic enumeration, there is something to be found if you follow the path.
For the next step, Listen closely to the responses you get, it’s not as blind as you may think it is. There are a few articles out there outlining the process.
Regarding root, looked up gtfobins for the thing I thought I found, unfortunately it didn’t work. Would be glad about any pointers ! Thanks
I had fun with this box. I went down a hole and missed the obvious with root. Once I noticed the correct path it was a matter of minutes. PM for nudges.
It is an interesting machine, when people say that Mango is a words game, it really is, but don’t try to break your head trying brute force with combinations of this word or similar things, I did it was discouraging.
The escalation is very easy, there is a very clear hint in the folder of the second user
Thanks @JadeWolf for assisting me with the re**x syntax ive been losing my ■■■■ over that one
Oh and I LOVED the box @MrR3boot , learned a ton here, cant think of a higher praise